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This module should be read in conjunction with the Introduction and with the 
Glossary, which contains an explanation of abbreviations and other terms 
used in this Manual. If reading on line, click on blue underlined headings to 
activate hyperlinks to the relevant module. 


Purpose 


To set out the HKMA’s expectations on the key role, responsibilities 
and qualities of an Al’s internal audit function, and describe the 
approach that the HKMA will adopt in assessing the effectiveness of 


the function. 


Classification 


A non-statutory guideline issued by the MA as a guidance note. 


Previous guidelines superseded 
IC-2 “Internal Audit Function” (V.1) dated 14.07.09. 


Application 
To all Als. 
Structure 
1. Introduction 
1.1 Background 
1.2 Application 
2. Hierarchy of responsibilities 
2.1 General 
2.2 Board of directors 
2.3 Senior management 
2.4 Internal audit function 
2.5 Audit Committee 


3. Key qualities expected of internal audit function 
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3.1 Independence 
3.2 Authority and standing 
3.3 Objectivity and impartiality 
3.4 Resources and professional competence 
3.5 Continuity 

4. Work process of internal audit function 
4.1 General 
4.2 Audit plan 
4.3 Audit programme 
4.4 Audit procedures 
4.5 Audit reporting 
4.6 Follow-up procedures 

5. Relationship with risk management and compliance functions 
and external auditors 
5.1 Risk management and compliance functions 
5.2 External auditors 

6. Outsourcing of internal audit function 
6.1 General 
6.2 Full or partial outsourcing 
6.3 Criteria for outsourcing 
6.4 Reporting arrangements 

7. Supervisory assessment of internal audit function 
7.1 General 
7.2 Scope of assessment 
7.3 Means of assessment 
7.4 Supervisory actions 
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1. 


Introduction 


1.1 Background 


1.1.1 


1.1.2 


1.1.3 


Paragraph 10 of the Seventh Schedule to the Banking 
Ordinance requires Als to maintain, on and after 
authorization, adequate accounting systems and 
adequate systems of control. It is therefore important 
for the board of directors (“Board”) and senior 
management of an Al to monitor and assess whether the 
Al’s internal control systems are adequate, particularly in 
relation to ensuring effective governance and risk 
management, reliable and timely reporting of financial 
and management information, and compliance with 
relevant laws and regulations, supervisory guidelines, 
market codes and standards, as well as internal policies 
and procedures. 


An internal audit function (“IAF”) is essential to the 
maintenance of adequate internal control systems in that 
it provides the Board and senior management of an Al 
with an independent, objective evaluation of the condition 
of the Al’s systems and controls on an ongoing basis, and 
helps in improving their effectiveness by identifying 
weaknesses to be rectified and making recommendations 
for enhancement. This independent evaluation process 
is crucial to an Al’s continuing development in the light of 
rapidly changing business environments that may bring 
about new risks and control challenges to the Al. 


An effective IAF also facilitates the supervisory work of 
the HKMA by providing a valuable source of information 
that it may take into account for assessing the quality of 
an Al’s internal control systems. As noted in paragraph 
7.3.3, the HKMA will have regular communication with an 
Al’s internal auditors or other relevant persons to discuss 
issues of interest, including but not limited to the IAF’s 
audit plan and its work and findings relating to the Al’s 
internal control processes. 


1.2 Application 


1.2.1 


Every Al is expected to maintain an IAF that is 
appropriate for the size, nature, scope and complexity of 
its operations. With the increasing trend of Als 
diversifying their activities into different products and 
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1.2.2 


1.2.3 


1.2.4 


markets and the growing complexity of the business 
environments in which they operate, Als should recognise 
the need to continuously upgrade their internal control 
systems, and to have an IAF that is equipped with the 
necessary expertise, resources and authority to 
safeguard the integrity of these systems. 


Locally incorporated Als should apply the standards set 
out in this module to their business activities on a group- 
wide basis. Where an Al has a significant branch or 
subsidiary abroad, the Al should consider establishing an 
internal audit office there to ensure the efficiency and 
continuity of the internal auditing work on those 
operations. Such overseas offices should be part of the 
Al’s IAF and be able to comply with the standards in this 
module. The Al should also ensure that the IAF has 
unlimited access to the activities of all of its branches and 
subsidiaries, whether domestic or overseas, and that the 
IAF carries out on-site audits of those activities at 
sufficiently regular and timely intervals to ensure that 
internal control systems are functioning adequately and 
properly. 

For Als which are branches or subsidiaries of foreign 
banks (including subsidiaries of regulated financial 
holding companies), the HKMA will take into account the 
work of their group IAF on their local operations in 
assessing whether they satisfy the standards set out in 
this module. Where their local operations are sizeable in 
terms of the risks posed to the institutions themselves 
and the market as a whole, they are expected to have 
their own internal auditors in Hong Kong as part of their 
group IAF. Those with small operations in Hong Kong 
may, subject to the standards in this module, rely on their 
group IAF and/or competent external parties to whom 
internal audit activities have been outsourced (see 
section 6 for more details) to cover such operations. 


Als that do not conform fully with the standards set out in 
this module should satisfy the HKMA that alternative 
measures are in place which are equally robust in 
achieving the purposes of these standards. 


1.2.5 Als are expected to refer periodically to the latest 


professional standards and best practices published from 
time to time by professional bodies such as the Institute 
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of Internal Auditors for further guidance on a more 
technical level. 

2. Hierarchy of responsibilities 


2.1 General 


2.1.1 The effectiveness of an IAF depends to a large extent on 
the commitment of the Board and senior management of 
an Al to maintaining strong internal control systems that 
are responsive to the changing landscape of risks faced 
by the Al, as well as an adequately resourced and 
competent IAF to help ensure that this is the case. 


2.2 Board of directors 


2.2.1 The Board has the ultimate responsibility for ensuring that 
effective internal control systems and processes are in 
place given the size, nature, scope and complexity of an 
Al’s business activities. In this regard, the Board should, 
among other things — 


have a broad understanding of the risks inherent in 
the Al’s business activities (including those arising 
from any new developments, initiatives, products and 
operational changes), with a particular focus on 
those that may be material to the business and 
affairs of the Al; 


ensure the competence of senior management in 
establishing, implementing and maintaining — 


- an adequate and effective system of internal 
controls; 


- a process for identifying, assessing and 
controlling the various risks of the Al’s business 
activities; 

- appropriate methods for monitoring compliance 
with laws, regulations, Supervisory guidelines and 
internal policies; and 


review the effectiveness of the Al’s internal control 
systems and processes at least once a year (or ona 
more frequent basis as necessary). Such review 
may be conducted by the Audit Committee as 
appropriate. 
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2.3 


2.4 


2.2.2 


In respect of internal audit specifically, the Board is 
primarily responsible for ensuring that the IAF is effective 
in performing an independent assessment of the 
adequacy of internal control systems in covering all 
relevant risks of the Al. Detailed responsibilities that the 
Board may delegate to the Audit Committee to ensure the 
effectiveness of the IAF are included in subsection 2.5. 


Senior management 


2.3.1 


2.3.2 


Senior management is responsible for the establishment, 
implementation and maintenance of effective systems of 
internal control within the Al. Accordingly, senior 
management should, among other things — 


e maintain an organisational structure that clearly 
assigns responsibility, authority and reporting 
relationships and ensure that delegated 
responsibilities are effectively carried out; 


e develop processes and procedures at a sufficiently 
detailed level to identify, measure, monitor and control 
risks inherent in the Al’s business activities (including 
those arising from any new developments, initiatives, 
products and operational changes); 


e set appropriate policies and monitor the effectiveness 
of the Al’s internal control systems; and 


e report to the Board at least once a year (or on a more 
frequent basis as necessary) on the scope and 
performance of the Al’s internal control systems. 


In respect of internal audit specifically, an Al’s senior 
management is responsible for ensuring that the 
recommendations of the IAF are properly implemented at 
all relevant levels of management. Senior management 
should also keep the IAF fully informed on a timely basis 
of any substantial new developments, initiatives, products 
and operational changes affecting the Al so that any 
associated risks can be identified at an early stage. In 
deciding the scope of information to be provided to the 
IAF, senior management is expected to take into account 
the information needs of the Head of IAF to enable him to 
adequately and properly discharge his responsibilities. 


Internal audit function 








AN 


Honc Kong MONETARY AUTHORITY 


FERREE 





Supervisory Policy Manual 








IC-2 





Internal Audit Function V.2 — 31.10.2017 








2.4.1 


2.4.2 


2.4.3 


2.4.4 


An effective IAF assists the Board and senior 
management in the discharge of their responsibilities as 
described above by providing independent assessment 
and assurance on the Al’s internal control systems. The 
IAF should regularly report to, and advise, the Board (or 
the Audit Committee) and senior management on the 
results of its assessments (see subsection 4.5 for 
relevant reporting standards). 


The IAF is accountable to the Board (through the Board’s 
Audit Committee) and its key responsibilities should 
include conducting independent assessments of the: 


e compliance with internal policies and risk 
management controls as well as relevant laws, 
regulations, and supervisory guidelines; 


e reliability (including integrity, accuracy and 
comprehensiveness) and timeliness of financial and 
management information (including information for 
regulatory reporting); 


e continuity and reliability of management and financial 
information systems, including electronic information 
systems (for internal and regulatory reporting); 


e effectiveness of the control environment supporting 
the accuracy of accounting records, regulatory reports 
and management reports; 


e efficiency of operations through testing of both 
transactions and the functioning of specific internal 
control procedures; and 


e effectiveness of the systems and processes for 
internal control throughout the organisation, including 
safeguarding of assets and fraud detection and 
prevention. 


In addition, the IAF may be involved in the carrying out of 
special investigations as directed by the Board (or the 
Audit Committee) or senior management from time to 
time. Such investigations may occasionally arise from 
supervisory requests. 


The Head of IAF should be responsible for ensuring the 
effectiveness and efficiency of the IAF in discharging the 
above responsibilities. Specifically, the Head of IAF 
should — 
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e have the organizational stature, skills, knowledge and 
authority necessary to lead the IAF in providing 
reliable and independent assessments of the quality 
and effectiveness of the Al’s internal control systems; 


e ensure that the IAF complies with sound internal 
auditing standards and relevant codes of ethics’; 


e establish an audit charter, an audit plan, and written 
policies and procedures to be followed by staff in the 
IAF; 


e ensure that staff in the IAF are professionally 
competent and well-trained, and that necessary 
resources are available; and 


e establish and ensure an effective mechanism for 
reporting audit findings and recommendations, and 
the progress on implementation of the 
recommendations, to all appropriate levels of 
management and the Board (or the Audit Committee 
(see section 2.5)). 


2.5 Audit Committee 


2.5.1 For practical reasons, and where the nature and scope of 
their operations warrant, Als are generally expected to 
establish an Audit Committee to assist the Board in 
ensuring the adequacy of internal control systems and 
reinforcing the work of internal and external auditors (see 
CG-1 “Corporate Governance of Locally Incorporated 
Authorized Institutions” for the relevant requirements, 
including the composition of the Audit Committee). 


2.5.2 The Board is expected to delegate to the Audit 
Committee responsibilities to — 


e draw up, review and update periodically a written 
charter for the Board’s approval indicating the Audit 
Committee’s composition, authority and duties, as well 
as the manner of reporting to the entire Board; 


t For example, International Standards for the Professional Practice of Internal Auditing issued by the 
Institute of Internal Auditors (IIA) and the code of ethics issued by IIA and the International Ethics 
Standards Board for Accountants. 








AN 


Honc Kong MONETARY AUTHORITY 
SHES AE EJ 





Supervisory Policy Manual 








IC-2 





Internal Audit Function V.2 — 31.10.2017 








monitor the Al’s financial reporting process and 
relevant output, including arrangements through which 
concerns about possible improprieties in matters of 
financial reporting can be raised; 


oversee the establishment of the Al’s accounting 
policies and practices (including quality of accounting 
estimates and disclosures) and review significant 
judgements made in financial reporting within the Al’s 
financial statements; 


appoint (or make recommendations to the Board 
regarding the appointment of) the Head of IAF; 


approve the audit charter drawn up and updated 
periodically by the IAF (See subsection 3.2 for further 
details); 


approve, periodically, the audit plan as well as the 
related manpower and financial resources required 
after identifying the areas of risk within the Al’s 
operations to be covered; 


review the performance of the Head of IAF and the 
effectiveness of the IAF; 


review reports and significant recommendations 
provided by the IAF and management plans for their 
implementation; 


make recommendations to the Board with regard to 
the appointment of the Al’s external auditors and 
related matters (e.g. terms of engagement and 
remuneration) and oversee the work of the external 
auditors (e.g. consider their audit work plan and 
review their audit conclusions and recommendations); 


report to the Board regularly on the work performed by 
the Committee and its significant findings, and the 
progress made by the senior management in 
implementing any remedial actions to address 
deficiencies identified in the Al’s internal control 
systems (including those identified by internal and 
external auditors, the Audit Committee itself or the 
HKMA); and 


provide opportunities for external and internal auditors 
to meet and discuss their respective findings. 
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3. 


2.5.3 


The Board however remains ultimately responsible for the 
work performed by the Audit Committee, and should 
therefore establish adequate controls to ensure the 
effectiveness of the Committee in fulfilling the above 
responsibilities. 


Key qualities expected of internal audit function 


3.1 


3.2 


Independence 


3.1.1 


3.1.2 


3.1.3 


3.1.4 


The IAF must be independent from the day-to-day 
operations of an Al’s business and functional units 
(including units undertaking other internal control 
functions) that are subject to its review. The Head of the 
IAF should not have management responsibility related to 
such business and functional units of the Al. 


The IAF should report directly to the highest governing 
levels of an Al, typically the Board (or the Audit 
Committee), and be given the opportunity to discuss its 
findings with members of the Board (or the Audit 
Committee) without senior management's involvement. 


In the case of foreign banks which operate as branches 
or subsidiaries in Hong Kong, where it is not practicable 
for the local IAF to report directly to the Board (or the 
Audit Committee) of the foreign bank, the local IAF 
should report to the group IAF, rather than to the local 
management. 


The IAF should be subject to independent review, which 
can be carried out by independent parties such as 
external auditors or other qualified independent 
reviewers, or by the Audit Committee. Such review 
should aim to evaluate the effectiveness of the IAF and, 
where necessary, provide recommendations to improve 
its effectiveness. Reviews should be conducted regularly 
and cover all major aspects of the IAF’s work. 


Authority and standing 


3.2.1 


The effectiveness of the IAF will be enhanced where its 
importance is explicitly recognised by the Board and 
senior management and communicated throughout the 
organisation. 


10 
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3.2.2 


3.2.3 


3.2.4 


Each Al should therefore have an audit charter to 
articulate the purpose, authority and standing of the IAF 
within the Al. The charter should be drawn up and 
periodically reviewed and updated by the IAF. The 
charter and any subsequent amendments to it should be 
approved by the Board (or the Audit Committee) and 
communicated throughout the organisation. All these 
processes should be properly documented. 


An audit charter, at a minimum, should establish — 
e the objectives and scope of the IAF; 


e the IAF’s position within the organisation, its powers, 
responsibilities and relations with other internal control 
units; 


e the accountability of the Head of IAF; and 


e the terms and conditions according to which the IAF 
can be called upon to provide consulting or advisory 
services or to carry out other special tasks. 


The audit charter should give the IAF the right on its own 
initiative to Communicate directly with members of the 
Board (or the Audit Committee) and with any member of 
staff, to examine any activity of the Al, and to access any 
records, files, data or properties of the Al, including 
management information systems and records and the 
minutes of the Al’s consultative and decision-making 
bodies, whenever relevant to the IAF’s assignments. 


Objectivity and impartiality 


3.3.1 


The IAF must seek to preserve objectivity and impartiality 
by avoiding any conflict of interest in performing its 
duties. For instance — 


e the IAF and its staff members must not be involved in 
the business and functional units of the Al or in 
selecting or implementing its internal control 
measures; 


e staff assignments within the IAF should be rotated 
periodically whenever practicable; 


e staff members of the IAF who are recruited internally 
should not audit activities or functions they performed 
within the last 12 months (or any longer “cooling-off” 
period as appropriate); 
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e the Head of IAF should request the audit staff to 
declare, and seek to mitigate as far as practicable, 
any possible conflict of interest (e.g. the head or any 
key personnel of the unit or department to be audited 
is a close friend or relative of the audit staff 
concerned); 


e the Head of IAF should be responsible for ensuring 
that any cases of impairment, or potential impairment, 
of an internal auditor’s objectivity are properly reported 
and addressed, with reporting lines clearly established 
and communicated to staff: 


e all the work done by internal auditors should be 
properly documented for future verification as 
necessary; 


e for a locally incorporated Al, matters such as the 
annual remuneration of the Head of IAF and of the 
IAF as a whole’ and budgeted resources of the IAF 
should be reviewed and approved by the Board or its 
relevant delegated committee (i.e. the Audit 
Committee or Remuneration Committee). Where such 
matters are considered by a committee of the Board, if 
any members of the committee have a conflict of 
interest (e.g. because they are from departments that 
are subject to oversight by the IAF), such matters 
should be discussed in the committee meetings 
absent these members; and 


e an Al incorporated outside Hong Kong should follow 
its established internal policies to review and approve 
the remuneration of the IAF in the Hong Kong branch. 
The Al should take responsible steps to mitigate 
conflicts in determining such remuneration. 


3.3.2 The need for objectivity and impartiality however does not 
preclude the IAF from providing consulting or advisory 
services to senior management. For instance, senior 
management may request the IAF to give an opinion on 
the necessary internal control systems and procedures 
for important reorganisations, the commencement of 


2 $ r ` : ` Z 
For the avoidance of doubt, annual remuneration would include any variable incentives-based 


remuneration. 


12 








AN 


Honc Kong MONETARY AUTHORITY 
SHES AE EJ 





Supervisory Policy Manual 








IC-2 





Internal Audit Function V.2 — 31.10.2017 








important activities or activities considered to carry 
material risks, and the setting up or reorganisation of risk 
management infrastructure (including management 
information systems and information technology 
systems). This would be acceptable provided that such 
consultative and advisory services constitute only an 
ancillary task of the IAF and where the IAF, for example, 
only makes recommendations, but takes no part in the 
actual decision-making or the eventual development and 
introduction of the internal control systems or procedures, 
which should remain the responsibility of senior 
management. 


3.4 Resources and professional competence 


3.4.1 


3.4.2 


3.4.3 


3.4.4 


The IAF should be provided with adequate resources to 
perform its tasks. The amount of resources, in terms of 
human, financial and technical support, should be 
commensurate with the size, nature, scope and 
complexity of the Al’s operations. For example, the 
availability of skills and the knowledge and experience of 
internal audit personnel should be adequate to address 
the nature of risks inherent in the Al’s operations, and the 
availability of manpower should be sufficient to complete 
an audit cycle on major business operations within a 
reasonable timeframe. 


Staffing and continuing professional development should 
be analysed and budgeted at least annually having 
regard to the audit plan, with particular attention given to 
any new knowledge and skills to be acquired, for 
instance, through training or recruitment. 


In order to be able to discharge their functions effectively, 
internal auditors must possess an appropriate level of 
professional qualification, technical proficiency and skills, 
and knowledge about the Al’s business activities and 
risks. The IAF should ensure that as a whole it 
possesses the required knowledge, skills and other 
competences to perform all assignments and examine all 
areas in which the Al operates. 


Internal auditors must have the ability to keep pace with, 
and understand, the risks emerging from rapid financial 
innovations and developments (e.g. in the form of high 
risk or complex, structured products), as well as the skills 
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4. 


3.5 


and methodologies to evaluate the robustness of systems 
and controls for managing the associated risks, including 
the assessment of risk models or metrics used. 


Continuity 


3.5.1 


3.5.2 


3.5.3 


3.5.4 


3.5.5 


Each Al should have a permanent IAF that is adequately 
manned by staff members with sufficient experience and 
expertise. 


To minimise potential disruptions in the event that key 
personnel should leave the IAF, and to achieve continuity 
in consistent application of audit procedures and 
standards, it is important for adequate documentation to 
be maintained. 


In particular, all staff members of the IAF should be given 
an audit manual which documents, among other things, 
the audit charter, as well as all internal audit policies, 
work processes and standards. Any subsequent 
changes to the manual and the rationale behind such 
changes should be properly recorded and communicated 
to the staff members. 


A written track record should also be maintained for all 
audit work performed, audit recommendations, responses 
of the audited parties, and the subsequent audit reports 
and processes for finalising and implementing the audit 
recommendations. Any decision which overrides any 
aspect of the recommendations of the IAF should be 
supported by adequate written justifications. 


Whenever the Head of IAF is appointed or ceases to act 
in this capacity, the Al concerned should inform the 
HKMA in a timely manner with relevant information (e.g. 
qualification of the new appointee and the circumstances 
appertaining to the change in personnel), and make 
public disclosure. The HKMA may consider meeting with 
the outgoing Head of IAF after he has been relieved of 
his duties. 


Work process of internal audit function 


4.1 


General 


4.1.1 


Als are expected to have a structured process for 
performing internal auditing work, with well-defined 
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4.2 


4.1.2 


stages to ensure that the auditing work is prioritised 
around the most material and relevant risks, and that 
internal control weaknesses can be effectively identified 
and addressed in a timely manner. Internal auditors 
should adhere to applicable ethical and professional 
standards in performing their work (including acting with 
integrity, respecting confidentiality of information and 
avoiding conflict of interest). 


The work process should include at least the following 
stages: devising an audit plan, drawing up an audit 
programme for each assignment under the audit plan, 
performing and documenting audit work procedures, 
reporting audit findings and following up 
recommendations. 


Audit plan 


4.2.1 


4.2.2 


4.2.3 


An audit plan should document all audit assignments to 
be performed, establishing their priority, timing and 
frequency. It should also set out the manpower and 
financial resources required to achieve the audit 
assignments within a realistic time frame. If an audit plan 
spans a few years, it should be reviewed and updated at 
least annually. 


The audit plan should be established by the IAF and 
approved by the Board (or the Audit Committee). It 
should cover reviews or assessments of key risk 
management functions, regulatory capital adequacy and 
liquidity control functions, regulatory and internal 
reporting functions, compliance function and finance 
function. There should also be adequate coverage of 
matters of regulatory interest, including policies, 
processes and governance measures established in 
response to various regulatory principles, rules and 
guidance established by the HKMA and any other 
relevant authorities. 


The extent, nature and frequency of the audit 
assignments to be performed should be risk-focused and 
driven by the results of a comprehensive assessment 
conducted by the IAF of the risks inherent in all significant 
activities of an Al (and its subsidiaries) or likely to emerge 
from expected developments and innovations, particularly 
from new activities which generally carry a higher degree 
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4.3 


4.4 


4.2.4 


4.2.5 


of risk, and of the internal control systems for managing 
those risks. The risk assessment criteria should include 
quantitative and qualitative factors. 


The principles for the risk assessment methodology 
should be established in writing by the IAF and regularly 
updated to reflect changes to the system of internal 
controls or work processes and to incorporate new lines 
of business. 


All activities of an Al, including those undertaken by its 
branches and subsidiaries (whether banking or non- 
banking), should be subject to the IAF’s scope of review. 
In conducting its review, the IAF should not limit itself to 
auditing specific units or departments, but should also 
pay attention to auditing specific activities conducted by 
or across different units or departments. 


Audit programme 


4.3.1 


For each audit assignment, the IAF should prepare an 
audit programme to clearly set out — 


e the objectives that the assignment plans to achieve; 


e the scope of the assignment in relation to which 
business or functional units will be involved and the 
areas of their internal control procedures to be 
examined; 


e the audit methodologies to be adopted for the 
assignment. Common methodologies include 
enquiries with management, analytical reviews, walk- 
through procedures, external confirmations and 
sample testing; 


e the parties to whom the audit report should be 
communicated; 


e the schedule for field work and issuance of reports. 
Particularly for larger assignments, it will be useful to 
develop a form of Gantt chart illustrating the time span 
for various activities individually to facilitate planning 
and monitoring of work; and 


e the budget for manpower and other resources 
required for the assignment. 


Audit procedures 
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4.5 


4.4.1 


4.4.2 


All audit work procedures performed should be 
documented in working papers. These papers constitute 
the basis for drafting the audit report and should contain 
sufficient evidence to support the opinion formed. 


Internal audit staff should clearly understand that their 
working papers are formal evidence of their work and 
may be subject to rigorous review and query by internal 
or external parties including the HKMA. The working 
papers must therefore be — 


e legible, organised and readily available upon request, 
and only information that is relevant to achieving the 
audit objective should be included; 


e drawn up according to a well-determined method (e.g. 
use of suitable indexes and cross-references) to 
facilitate subsequent review; and 


e able to reflect that the auditing work has been duly 
performed and provide an audit trail for checking how 
the work has been performed. 


Audit reporting 


4.5.1 


4.5.2 


A draft report presenting the scope and purpose of the 
audit assignment, as well as the preliminary audit findings 
and recommendations in respect of any internal control 
weaknesses identified, should generally be issued to the 
management of the audited business or functional units 
for comments before the final report is prepared. This will 
provide the internal auditors and the relevant 
management with an opportunity to exchange views and 
comments on the audit findings so as to avoid any 
misunderstanding or misinterpretation about the findings 
before the report is formally issued. 


In the case of disagreement between the management 
and the internal auditors in respect of any important 
findings or recommendations included in the draft report 
that cannot be resolved, the IAF should retain in the final 
report such findings or recommendations, include 
reference to the different views presented by the 
management, and submit the report to senior 
management and the Board (or the Audit Committee) for 
their consideration and further action. 
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4.5.3 


4.5.4 


4.5.5 


As soon as practicable, a final report in respect of the 
audit assignment should be issued to the management of 
the audited business or functional units, senior 
management and the Board (or the Audit Committee), 
incorporating the responses’ from the relevant 
management on the findings and recommendations, as 
well as the action plan which outlines the remedial 
measures to be taken to address the internal control 
weaknesses identified, their target completion dates, and 
the responsible parties for carrying out the remedial 
measures. 


During the course of the audit assignment, the IAF should 
retain the option to issue, and should consider the 
necessity of issuing, an interim report to the relevant 
management, or if necessary also to senior management 
and the Board (or the Audit Committee) where, for 
instance, serious issues are identified that should be 
brought to their immediate attention, or the audit 
assignment extends over a relatively long period. 


In addition to the above, the IAF should provide regular 
reports to the Board (or the Audit Committee), 
summarising the results of the IAF’s work, including 
overall conclusions or assessments, key findings, 
material risks and issues, and follow-up of 
management’s resolution of identified issues. Simply 
reporting that certain audit reports have been completed 
may be insufficient to assist the Board to carry out its 
responsibilities effectively. 


4.6 Follow-up procedures 


4.6.1 


4.6.2 


The principal responsibility for implementing timely and 
effective remedial measures to address internal control 
weaknesses identified by the IAF should rest with the 
management of the audited business or functional units. 


The IAF should conduct follow-up reviews with the 
relevant management on a regular basis to monitor the 
implementation progress and report the results 
periodically (Say, every half-year) to senior management 
as well as the Board or the Audit Committee (or to the 
group IAF in the case of the local IAF of a foreign bank 
branch or subsidiary). The follow-up report should 
highlight, among other things — 
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5. 


e any areas of delay according to the action plan; 


e any remedial measures that have not been properly 
implemented; or 


e any remedial measures that are found after 
implementation to be ineffective in addressing the 
internal control weaknesses identified, together with 
further proposed actions to address the weaknesses. 


Relationship with risk management and compliance 
functions and external auditors 


5.1 Risk management and compliance functions 


5.1.1 


5.1.2 


5.1.3 


Structurally, the risk management and compliance 
functions should be separate from, and subject to the 
independent review of, the IAF. The main responsibilities 
of an Al’s risk management function include ensuring that 
all relevant risks of the Al are properly identified, well 
understood, measured, controlled, assessed and 
reported, whereas the compliance function is responsible 
for identifying, assessing, monitoring and reporting and 
advising on compliance risk in respect of legislation, 
rules, standards and guidelines issued by regulators, and 
codes of practice promoted by industry associations 
applicable to the Al as well as internal policies and codes 
of conduct applicable to staff members. 


The work performed by the independent risk 
management and compliance functions provides the IAF 
with a valuable source of information for the identification 
of any deficiencies in an Al’s internal control systems. 


Some Als have established separate internal control 
processes within business or functional units to monitor 
and assess compliance of specific activities with internal 
control and compliance standards. There are also Als 
which require individual business or functional units to 
conduct regular self-assessments to ensure that 
operational and control procedures are properly followed. 
The existence of such mechanisms does not relieve the 
IAF from the responsibility of examining the internal 
controls related to the specific activities to ensure that 
they are functioning adequately. However, if conducted 
effectively, these mechanisms may provide a useful 
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source of information that the IAF and the compliance 
function can make use of for the ongoing monitoring of 
how well relevant activities are being managed and 
controlled. 


5.2 External auditors 


5.2.1 


5.2.2 


5.2.3 


External auditors appointed by an Al (to comply with 
requirements under the Banking Ordinance or the 
Companies Ordinance or otherwise) have an important 
role to play in the ongoing enhancement of the Al’s 
internal control systems insofar as system or control 
deficiencies may be uncovered in the course of the 
conduct of their work. 


The work of the external auditors should complement that 
of the IAF and vice versa. The Board (or the Audit 
Committee) should ensure that a mechanism is in place 
for the external auditors and the IAF to keep each other 
informed of any significant matters of concern identified 
that may affect the work of the other. Coordination of 
auditing efforts may involve periodic meetings to discuss 
matters of mutual interest, the exchange of audit reports 
and management letters, and a common understanding 
of auditing techniques, terminology and methods 
employed. 


The Board may also consider commissioning external 
auditors or other qualified independent reviewers to 
perform a comprehensive check specifically on the 
operations of the IAF, on a periodic or need basis. This 
should serve to introduce or transfer knowledge of 
techniques and practices for internal controls, risk 
management and internal auditing, in order to enhance 
the efficiency and effectiveness of the IAF, in the face of 
the changing market environment in which the Al 
operates or in relation to its involvement in new business 
activities and financial products. 


Outsourcing of internal audit function 


6.1 General 


6.1.1 


This section refers to outsourcing the IAF to an external 
party. It should be read in conjunction with section 2 of 
the Supervisory Policy Manual module SA-2 on 
Outsourcing for details of the outsourcing process. 
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6.2 


6.1.2 


6.1.3 


6.1.4 


An Al may in some circumstances consider it necessary 
to outsource its IAF, in whole or in part, to an external 
party which provides internal auditing services. 
Outsourcing (on a limited or targeted basis) can bring 
significant benefits to Als such as access to specialised 
expertise and knowledge for a special audit project 
otherwise not available within the organisation. However, 
outsourcing may also give rise to the risks of losing or 
reducing controls over the outsourced internal auditing 
activities, which the Al concerned needs to manage and 
monitor closely. 


Als which intend to outsource the IAF or to change the 
scope of existing outsourcing arrangements, in whole or 
in part, should discuss their plans with the HKMA in 
advance and provide sound justifications. 


It should however be emphasised that regardless of 
whether internal auditing activities are outsourced, the 
Board remains ultimately responsible for ensuring that the 
internal control systems are subject to adequate 
independent assessment. 


Full or partial outsourcing 


6.2.1 


6.2.2 


Generally, the HKMA would only regard as acceptable 
the outsourcing of the internal audit of an Al’s entire 
operations under very limited circumstances. An example 
would be that the Al’s operations are so small and simple 
that the maintenance of a full-scope internal audit team in 
Hong Kong is not justified. In such cases, it may still be 
necessary for the Al to maintain a small IAF or, if that is 
not practicable, the Al should at least designate a senior 
and experienced individual to liaise with the service 
provider on the internal auditing work to be performed 
and to follow up on audit findings and the rectification of 
weaknesses identified. In the case of foreign bank 
branches and subsidiaries, any outsourcing arrangement 
should not preclude the group IAF from conducting audits 
on the Hong Kong operations. 


The HKMA would normally expect Als only to outsource 
certain specific audit assignments where necessary 
because, for instance, the IAF is not sufficiently proficient 
or resourced to conduct them. In any such case, Als are 
however encouraged to see to it that whenever 
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practicable, the knowledge of the external expert is 
eventually integrated into the IAF, possibly by having one 
or more than one staff member of the IAF participating in 
the work of the expert. 


6.3 Criteria for outsourcing 


6.3.1 Set out below are some factors that the HKMA will have 
regard to in considering whether the outsourcing 
arrangement is acceptable from a supervisory point of 
view. 


It is important to ensure that any third party service 
providers to which the IAF activities are outsourced 
can carry out the tasks independently. For this 
reason, the HKMA generally expects that Als will not 
outsource to its existing external auditors, or to a 
service provider that has been involved in the area to 
be outsourced before a reasonable cooling off period 
has expired. If an Al reasonably considers that it is 
not practical to identify any service provider which can 
meet this general expectation, or that there are strong 
justifications for engaging a service provider for a 
given outsourced IAF arrangement in deviation from 
this general expectation, the Al should properly 
document its assessment (including any potential 
conflict of interest threatening independence and the 
institution of any compensating safeguards). It should 
stand ready to provide detailed justification of its 
decision upon request by the HKMA. 


The Al should perform due diligence to satisfy itself 
that the service provider is a competent, financially 
sound firm with sufficient knowledge, resources and 
expertise in the relevant areas. 


The outsourcing contract should be in written form — 


- defining the service provider’s assignments and 
responsibilities; 


- making it a requirement for senior management to 
be consulted on the risk analyses to be 
performed and the audit plan to be established; 


- providing senior management or its 
representative(s), the external auditors, and the 
HKMA with access at any time to the service 
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6.4 


6.3.2 


provider's records relating to the service 
provider's audit plan, audit assignments and 
working papers, etc; 


- requiring the service provider to adhere to 
applicable professional standards and codes of 
ethics; and 


- requiring the service provider to commit adequate 
resources to effectively perform the required 
assignments under the audit plan, with a protocol 
for changing the terms of the contract, especially 
for expansion of auditing work if significant issues 
are found. 


e Other relevant supervisory standards included in SA-2 
“Outsourcing” should be satisfied. 


Als with outsourced internal audit activities are expected 
to assess the impact of such outsourcing on their overall 
risk profile and internal control systems. Als should have 
a contingency plan for replacing a service provider in the 
event of a sudden termination of an outsourcing contract. 
Having regard to the lead time for appointing a suitable 
service provider as replacement, the Al may need to 
consider increasing its own internal auditing efforts in the 
interim. 


Reporting arrangements 


6.4.1 


6.4.2 


6.4.3 


Communication between the IAF and the Board (or the 
Audit Committee) and senior management (and also 
between the local IAF and the group IAF in the case of 
foreign bank branches and subsidiaries) should not 
diminish in respect of any audit assignment which is 
outsourced. 


The IAF should be responsible for the results of the 
outsourced auditing work, including findings, conclusions 
and recommendations. All work by the service provider 
should be well documented and all findings of control 
weaknesses should be promptly reported to the IAF. 


The IAF should in turn, after consultation with the 
management of the audited business or functional units, 
report the findings of the service provider, together with 
its comments, to the Board (or the Audit Committee) and 
senior management (and also the group IAF in the case 
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7. 


6.4.4 


of the local IAF of a foreign bank branch or subsidiary), 
where appropriate. 


In cases where an Al has not maintained an IAF after 
outsourcing all of its internal auditing activities, there 
should be an individual designated by the Al (as noted in 
paragraph 6.2.1) for handling communications between 
the service provider and the Board (or the Audit 
Committee) and senior management (and also the group 
IAF in the case of a foreign bank branch or subsidiary). 


Supervisory assessment of internal audit function 


7.1 General 


7.1.1 


7.1.2 


7.1.3 


Under its risk-based supervisory approach, the HKMA 
may, where appropriate, leverage on the work done by an 
IAF that is adequately resourced with sufficient expertise, 
standing and independence within an Al to facilitate its 
supervisory assessment of the Al’s internal control 
systems and determine its scope of examination on the 
Al. 


For locally incorporated Als of which the HKMA is the 
home supervisor, the HKMA is directly responsible for 
reviewing the extent to which the relevant standards 
contained in this module are met by the Als on a group- 
wide basis. In particular, the purpose of the HKMA’s 
review is to ascertain whether the IAF of these Als is 
effective given the nature and scale of their operations 
(including overseas operations in the form of branches or 
subsidiaries). 


For branches and subsidiaries of foreign banks ° 
operating in Hong Kong, the ultimate responsibility for 
assessing the effectiveness of the IAF on a group-wide 
basis rests with the bank’s home supervisor. The 
HKMA’s supervisory focus is on the part of the IAF 
covering the Hong Kong operations of such branches 
and subsidiaries. If a local subsidiary of a foreign bank 
has overseas operations, the IAF covering those 
operations will also be assessed. 


3 This also applies to any Al which is a subsidiary of a regulated financial holding company. 
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7.2 


7.3 


Scope of assessment 


7.2.1 


7.2.2 


The HKMA will determine the effectiveness of the IAF by 
evaluating the extent to which it can ensure that the 
internal control policies and processes are complied with, 
and continue to be sufficient and appropriate for an Al’s 
existing businesses and planned business 
developments, if any. The HKMA will also assess 
whether the IAF is able to make suitable 
recommendations, where necessary, to improve the 
effectiveness of those policies and processes. However, 
the Board and senior management of the Al remain 
primarily responsible for ensuring that the standards of 
this module are met. The HKMA’s supervisory 
assessment is not a substitute for the Al’s internal or 
external assessments on the efficacy of the IAF. 


In its supervisory assessment of the effectiveness of the 
IAF, the HKMA will place special emphasis on whether 
the IAF — 


e has sufficient resources, and staff who are suitably 
trained and have relevant skills, knowledge and 
experience to understand and evaluate the business 
they are auditing; 


e has appropriate independence and authority, including 
reporting lines and status within the AI (or banking 
group), to ensure that senior management acts upon 
its recommendations adequately; 


e has full and unfettered access to, including 
communication with, any member of staff as well as 
full and unfettered access to records, files, data or 
properties of the Al and its affiliates, whenever 
relevant to the performance of its duties; 


e employs a methodology that identifies the material 
risks run by the Al and prepares audit plans based on 
its own risk assessment and allocates its resources 
accordingly; and 


e has the authority to assess any outsourced functions. 


Means of assessment 
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7.3.1 


7.3.2 


The HKMA will assess the effectiveness of an Al’s IAF as 
part of its ongoing risk-based supervisory process, 
normally through documentary review and appropriate 
contacts with the IAF, senior management and external 
auditors of the Al. 


For the purpose of its documentary review, the HKMA will 
normally require an Al to provide (e.g. during off-site 
reviews or on-site examinations or on a need basis) 
documents and information for the purpose of assessing 
the extent to which certain key determinants of an 
effective IAF exist. These include — 


Independence and authority 


e organisation chart showing the reporting line of the 
IAF; 


e information on the structure and functions of the IAF; 
Expertise, resources and staff management 


e list of members (with organisational titles) in the Audit 
Committee, if any; 


e qualifications and past experience of the Head of IAF 
and staff members of IAF; 


e frequency of and plan for staff rotation in the IAF; 
Authority and documentation of policy and procedures 


e audit charter or other form of equivalent written 
mandate; 


e internal audit policies and manual; 


Appropriateness of audit coverage and implementation of 
audit recommendations 


e current and coming year’s audit plan covering all 
business or functional units subject to audit within the 
Al, including risk assessment and audit priorities in 
respect of individual units or activities; 


e internal audit programme, working papers and internal 
audit reports showing work done in the past 12 
months and management responses to 
recommendations and follow-up actions; 


e current progress of work and reasons for deviations 
from the audit plan, if any; 
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7.3.3 


Quality assurance 


letters or reports from the external auditors or other 
supervisory authorities informing the management of 
significant | weaknesses in the IAF and 
recommendations for improvement, if any. In the case 
of a local IAF of a foreign bank branch or subsidiary, 
this will include reports made by the group IAF; and 


documents and reports submitted by the IAF to the 
Audit Committee, and minutes of meetings of the 
Audit Committee, where an Audit Committee is 
established (See paragraph 2.5.1 for expectations 
regarding the establishment of an Audit Committee). 


The HKMA may supplement documentary review with 
interactive dialogue with any party the HKMA considers 
relevant to maintaining the effectiveness of the IAF of an 


Al. 


This will enable the HKMA to form a better 


assessment of how well the work of the IAF is being 
conducted or reviewed by the relevant parties involved. 
Such dialogue may be conducted on the following 
occasions: 


High-level meetings with the Board or the Audit 
Committee of locally incorporated banks on an annual 
basis to discuss, inter alia, risk management and 
internal control issues. In relation to the IAF, issues 
would cover the audit plan, any recent changes to the 
structure of the IAF or to audit procedures, the results 
of any independent review conducted by the Audit 
Committee on the IAF, etc; 


On-site examinations during which the HKMA’s 
examination team will meet with the internal auditors 
to exchange views and ideas on matters such as audit 
coverage and frequency, weaknesses and major 
issues identified, progress on implementation of any 
audit recommendations and the mechanism for 
tracking progress etc, particularly in relation to areas 
to be examined in the on-site examinations; 


Prudential interviews with senior management of Als, 
and their internal auditors, where necessary, following 
an off-site review to discuss issues of Supervisory 
concern identified during the review (which may cover 
issues similar to those mentioned above for on-site 
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examinations). Meetings with internal auditors may 
also be separately arranged whenever necessary to 
discuss internal control issues identified; 


e Meetings with group internal auditors of foreign banks 
on their visit to audit their Hong Kong branches or 


subsidiaries, whether at the start of the audit (e.g. to 
discuss the audit coverage) or at the close of it (e.g. to 
discuss any issues identified in relation to the 
adequacy of the internal control systems or the 
effectiveness of the local IAF). The HKMA would also 
expect to receive a copy of the report formally issued 
after the visit; 


e Tripartite meetings with external auditors (or service 
provider(s)) to which any part of an Al’s internal 
auditing work has been outsourced, or with external 
auditors who have been appointed by an Al to 
conduct special reviews (e.g. under section 59(2) of 
the Banking Ordinance) relating in whole or in part to 
issues concerning the effectiveness of the IAF; and 


e Bilateral meetings with the home supervisors of 
foreign banks with branches or subsidiaries in Hong 


Kong, in which such supervisors and the HKMA will, 
where necessary, exchange views on the 
effectiveness of the IAF at the local and group levels. 


7.4 Supervisory actions 


7.4.1 


7.4.2 


If the HKMA becomes aware of deficiencies in an Al’s 
IAF, it will draw them to the attention of the Al’s Board 
and senior management, and discuss measures to 
urgently address the situation. The Al should keep the 
HKMA informed of the progress in implementing any 
necessary remedial actions. 


Deficiencies in the Al’s IAF and implementation of the 
necessary remedial actions will be taken into account in 
the HKMA’s supervisory review process and/or 
determination of the CAMEL rating in respect of the Al. 
In more serious cases, deficiencies in an Al’s IAF may 
call into question whether the Al continues to satisfy the 
minimum criteria for authorization in the Banking 
Ordinance and cast doubt on the fitness and propriety of 
the Al’s directors and senior management. 
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